Documentation for LockOutRealm does not specify if failed logins due to being locked out by the LockOutRealm count as failed logins for the purpose of locking out a user.
For example: Lets say I'm protecting an API with LockOutRealm and the authentication fails either due to maliciously bad password, accidentally bad password, or back-end auth fail. This results in a LockOut condition because it happened x times in y period. But the machines legitimately hitting the API don't care and continue to fail to authenticate during the LockOut period. Will the machines ever be allowed to authenticate or is this a critical failure of the API?

Thanks for the report.
To answer the question, the LockOutRealm currently treats any authentication attempt during the lock out period as a failure. This does mean that once an account is locked out, if the legitimate users attempts to login more frequently that the lockout period that user is never going to regain access.
It does make sense to change this behaviour (and document it) so that valid logins do not extend the lockout period. I'll take a look at a patch.

Thanks for this fix. I'd like to ask one more technical question about it: Are the wrapped realms authenticated before the lockout or is the lockout checked before attempting real authentication?
Example:
<Lockout realm>
<LDAP realm/>
</Lockout realm>
If I try to authenticate but I'm in lockout, is LDAP triggered? It looks like the answer is probably "yes" because of the 401 Unauthorized response, which usually indicates authentication was successful.

This is ASF Bugzilla: the Apache Software Foundation bug system. In case
of problems with the functioning of ASF Bugzilla, please contact
bugzilla-admin@apache.org.
Please Note: this e-mail address is only for reporting problems
with ASF Bugzilla. Mail about any other subject will be silently
ignored.